Out-of-date drivers trigger malware attacks for years on Windows PCs

Microsoft released updates for the malicious drivers but those never stuck, leaving PCs open to malware

The vulnerable drivers can be exploited to trigger certain type of attacks called BYOVD

Out-of-date driver list left Windows devices open to cyber threat attacks for years. Upgrades were released for devices, but those never helped to mitigate issues with possible malware attacks.^[1] Microsoft, unfortunately, dialed to protect Windows computers from malicious drivers for almost three years. According to reports,^[2] the company has released updates with added new drivers to the blocklist. However, even downloaded on devices, those updates never worked.

The vulnerable driver list is regularly updated, however we received feedback there has been a gap in synchronization across OS versions

These unpatched and unfixed malicious drivers left users; devices vulnerable to particular BYOVD attacks.^[3] Drivers are computer operating system files that communicate with external devices and hardware like printers, routers, graphics cards. These drivers can access the core of the OS or kernel, so these pieces need to be safe to use and digitally signed.

However, these pieces can have vulnerabilities and security bugs that can be exploited and abused by hackers and threat actors. These pieces and security holes can be used to gain direct access to machines, so malware attacks can be launched directly, or spying campaigns start from there.

Major attacks have already been recorded

Hackers have abused these vulnerabilities, and several of these campaigns have been carried out in the wild. Threat actors used these methods to deploy BlackByte ransomware a few months back, and vulnerable drivers got used for the overclocking utility MSI AfterBurner. There were other incidents where cybercriminals exploited flaws in the anti-cheat driver for the Genshin Impact game.

Lazarus hacker group from North Korea is known for these BYOVD attacks.^[4] Aerospace employees in the Netherlands and political journalists in Belgium in 2021 were the targets. However, these reports from security firms only were released this month and broke the news to the public.

Lazarus (also known as HIDDEN COBRA) has been active since at least 2009. It is responsible for high-profile incidents.

These Lazarus campaigns started with spear-phishing emails containing Amazon-themed documents to target particular people. The goal of the attacker was to exfiltrate data from machines and networks that can be used in state-sponsored attacks and further malicious campaigns.

Known malware using these BYOVD attacks

SlingShot malware hid in the infected system for six years when the particular security firm managed to detect the active campaign.^[5] The malware exploited security flaws that had been found in 2007. These vulnerabilities were found in drivers like Speedfan.sys, sandra.sys, and others. Drivers have been digitally signed once, so Microsoft had no way to prevent Windows from loading them normally. Even when the malware issues have been reported and found.

Other threats using these types of attacks have been recorded before. RobbinHood is the ransomware that installs the gigabyte motherboard driver and then relies on abusing the particular CVE-2018-19320 flaw that installs the particular malicious driver. The first UEFI rootkit used in the attack – Lojax can gain access to targeted modules. This malware can install a powerful utility named RWEverything that has a proper digital signature.

It is unfortunate, but Microsoft has not created a viable defense to stop BYOVD attacks. The company claims that Windows users can enable the feature that automatically blocks known vulnerable drivers. However, it does not work on ThinkPads running the latest version of Windows 10. There is hypervisor-protected code integrity that is supposed to protect against malicious drivers. This feature, as reported by security experts, is not helping with proper protection again these malicious drivers.